Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ERROR :MS32DLL.dll.vbs


  • Please log in to reply
8 replies to this topic

#1 CareXun

CareXun

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 05 October 2009 - 09:33 AM

The full-Error description as follow:

[RUNDLL]
command/Error in C:\windows\system32\wscript.exe
Missing entry: .MS32DLL.dll.vbs



Hi to anyone that can helps,

I'm currently facing some virus(es) error in my computer Window XP pack 2.
This error often appear whenever I double clicked my Local Disk (C:); it's pop out an error as mention above.
Too, I am not able to access the local disk (C:) as well by simply double click... please help me out.

causes:
My computer has been infected by a single Pen Drive plug-in, and autorun-ed.

Additional
I had some search in google and I had found out many source to resolve this problem. But I ain't trusting those manual removal guide because I'm afraid off removing the wrong system coding...?
As some similar topic I found in forum, combofix, shows that is the best solution I can find to solve the viruses. However, combofix requiring to create a topic here, so here what's the topic is about...

I hope someone can help me out as fast as he/she could...
Thanks

Regards
carexun

ps: please do direct-into-points and easy understands. I not good in IT... :thumbsup:

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:26 AM

Posted 05 October 2009 - 12:12 PM

Welcome to BC
Let's do a couple of rootkit scans




We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr

-------------------------------------------------------------


Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report for me to review.
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.

    --------------------------------------
Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 AM

Posted 05 October 2009 - 12:47 PM

You can perform a rootkit scan to check for additional signs of infection but in this case you are dealing with a file related to "Hacked by Godzilla".

Have you performed any recent scans with your anti-virus or any other anti-malware programs like Malwarebytes Anti-Malware which will detect and remove MS32DLL.dll.vbs as (VBS.Godzilla)? If so, it's not unusual to receive such an error when "booting up" after using such tools to remove a malware infection.

RunDLL32.exe is a legitimate Windows file that executes/loads .dll (Dynamic Link Library) modules which too can be legitimate or sometimes malware related. A RunDLL "Error loading..." or "specific module could not be found" message usually occurs when the .dll file(s) that was set to run at startup in the registry has been deleted. Windows is trying to load this file(s) but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry still remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • Right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.

My computer has been infected by a single Pen Drive plug-in, and autorun-ed.

A flash (usb, pen, thumb, jump) drive infection usually involve malware that modifies and loads an autorun.inf (text-based configuration) file into the root folder of all drives (internal, external, removable) along with a malicious executable. When removable media such as a CD/DVD is inserted (mounted), autorun looks for autorun.inf and automatically executes the malicious file to run silently on your computer. For flash drives and other USB storage, autorun.ini uses the Windows Explorer's right-click context menu so that the standard "Open" or "Explore" command starts the file. Malware modifies the context menu (adds a new default command) and redirects to executing the malicious file if the "Open" command is used or double-clicking on the drive icon. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:As such, you should also do the following:

Please download Flash_Disinfector by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run the tool and follow any prompts that may appear.
  • If asked to insert your USB flash drive and other removable drives, please do so and allow the utility to clean up them as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Alternatively, you can download and use Panda USB Vaccine.
alternate download link
  • Extract (unzip) the file to your desktop and a folder named USBVaccine will be created.
  • Open that folder and double-click on USBVaccine.exe to start the program.
  • Click Run.
  • Click the button to Vaccinate computer..
  • Hold down the Shift key and insert your USB flash drive.
  • When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
  • Exit the program when done
Note: Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced by malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 CareXun

CareXun
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 06 October 2009 - 07:24 AM

[quote name='garmanma' date='Oct 5 2009, 12:12 PM' post='1449354']
Welcome to BC
Let's do a couple of rootkit scans


Hi Garmanma,

here is your log-report that you requested.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/06 20:05
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x97876000 Size: 778240 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x973B1000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Tan Kare Xun\Local Settings\Application Data\Microsoft\Messenger\copycat-88@hotmail.com\SharingMetadata\angez86@hotmail.com\DFSR\Staging\CS{F8438B76-7A0B-8CFC-C305-1A5239D2A629}\28\206-{5~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Tan Kare Xun\Local Settings\Application Data\Microsoft\Messenger\copycat-88@hotmail.com\SharingMetadata\angez86@hotmail.com\DFSR\Staging\CS{F8438B76-7A0B-8CFC-C305-1A5239D2A629}\98\228-{5~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Tan Kare Xun\Local Settings\Application Data\Microsoft\Messenger\smilling-pasta@live.com.my\SharingMetadata\cutepapayaboy@hotmail.com\DFSR\Staging\CS{7CAE0C97-826F-97D8-AA8C-92BF5F62D0C3}\11\16-{83~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Tan Kare Xun\Local Settings\Application Data\Microsoft\Messenger\smilling-pasta@live.com.my\SharingMetadata\cutepapayaboy@hotmail.com\DFSR\Staging\CS{7CAE0C97-826F-97D8-AA8C-92BF5F62D0C3}\12\17-{836517F6-F17C-4A01-8A83-355460D61484}-v12-{836517F6-F17C-4A01-8A83-355460D61484}-v17-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Tan Kare Xun\Local Settings\Application Data\Microsoft\Messenger\smilling-pasta@live.com.my\SharingMetadata\cutepapayaboy@hotmail.com\DFSR\Staging\CS{7CAE0C97-826F-97D8-AA8C-92BF5F62D0C3}\15\20-{836517F6-F17C-4A01-8A83-355460D61484}-v15-{836517F6-F17C-4A01-8A83-355460D61484}-v20-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Tan Kare Xun\Local Settings\Application Data\Microsoft\Messenger\smilling-pasta@live.com.my\SharingMetadata\cutepapayaboy@hotmail.com\DFSR\Staging\CS{7CAE0C97-826F-97D8-AA8C-92BF5F62D0C3}\21\22-{836517F6-F17C-4A01-8A83-355460D61484}-v21-{836517F6-F17C-4A01-8A83-355460D61484}-v22-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x99da4c96

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x99da4c8c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x99da4c9b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x99da4ca5

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0x99da4caa

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x99da4c78

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x99da4c7d

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0x99da4cb4

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0x99da4caf

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x99da4ca0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x99da4c87

==EOF==


----------------------------


ps: If I have another issue in my computer, do I continue the post or create a new topic?

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 AM

Posted 06 October 2009 - 08:56 AM

If the issue is malware related, then continue here after explaining what the problem is.

Creating new threads causes confusion and makes it more difficult to get the help you need to resolve your issues.

Did you follow my instructions yet? If not, you still need to do that.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 CareXun

CareXun
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 08 October 2009 - 09:54 AM

Hi Garmanma,

I assumed you miss out my reply/message previous post?
I have posted the log that I scanned last 2 days, and I posted up without delays.
Below are those quote yesterday... please review. :thumbsup:


Hi Garmanma,

here is your log-report that you requested.

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/10/06 20:05
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x97876000 Size: 778240 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x973B1000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Tan Kare Xun\Local Settings\Application Data\Microsoft\Messenger\copycat-88@hotmail.com\SharingMetadata\angez86@hotmail.com\DFSR\Staging\CS{F8438B76-7A0B-8CFC-C305-1A5239D2A629}\28\206-{5~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Tan Kare Xun\Local Settings\Application Data\Microsoft\Messenger\copycat-88@hotmail.com\SharingMetadata\angez86@hotmail.com\DFSR\Staging\CS{F8438B76-7A0B-8CFC-C305-1A5239D2A629}\98\228-{5~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Tan Kare Xun\Local Settings\Application Data\Microsoft\Messenger\smilling-pasta@live.com.my\SharingMetadata\cutepapayaboy@hotmail.com\DFSR\Staging\CS{7CAE0C97-826F-97D8-AA8C-92BF5F62D0C3}\11\16-{83~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Tan Kare Xun\Local Settings\Application Data\Microsoft\Messenger\smilling-pasta@live.com.my\SharingMetadata\cutepapayaboy@hotmail.com\DFSR\Staging\CS{7CAE0C97-826F-97D8-AA8C-92BF5F62D0C3}\12\17-{836517F6-F17C-4A01-8A83-355460D61484}-v12-{836517F6-F17C-4A01-8A83-355460D61484}-v17-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Tan Kare Xun\Local Settings\Application Data\Microsoft\Messenger\smilling-pasta@live.com.my\SharingMetadata\cutepapayaboy@hotmail.com\DFSR\Staging\CS{7CAE0C97-826F-97D8-AA8C-92BF5F62D0C3}\15\20-{836517F6-F17C-4A01-8A83-355460D61484}-v15-{836517F6-F17C-4A01-8A83-355460D61484}-v20-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Tan Kare Xun\Local Settings\Application Data\Microsoft\Messenger\smilling-pasta@live.com.my\SharingMetadata\cutepapayaboy@hotmail.com\DFSR\Staging\CS{7CAE0C97-826F-97D8-AA8C-92BF5F62D0C3}\21\22-{836517F6-F17C-4A01-8A83-355460D61484}-v21-{836517F6-F17C-4A01-8A83-355460D61484}-v22-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x99da4c96

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x99da4c8c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x99da4c9b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x99da4ca5

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0x99da4caa

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x99da4c78

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x99da4c7d

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0x99da4cb4

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0x99da4caf

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x99da4ca0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x99da4c87

==EOF==



#7 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:03:26 AM

Posted 08 October 2009 - 06:38 PM

Please follow QM7's response in post number 3 on using Autoruns to remove the orphan entry from startup
I believe that should take care of things
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 CareXun

CareXun
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 10 October 2009 - 09:14 AM

Hi Garmanma/QM'7

I have follow the steps that QM'7's guided in post 3, in facts I downloaded the autorun.exe and scanned through my computer's system. Furthermore I deleted some unknown errors file that I found using 'find(ctrl F)' in the autorun.exe's result after scanning. The autorun.exe, however does not remove the error that I faced, or perhaps I couldn't find any error entry(ies) in the autoruns.exe's result.

I'm still having the same error, please guide me.

Regards
carexun

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 AM

Posted 10 October 2009 - 01:52 PM

This infection can add registry entries similar to these examples:

O4 - HKLM\..\Run: [MS32DLL] C:\WINDOWS\.MS32DLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{589d6108-701d-11dc-961e-00e04d19f09d}]
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs

Some types of malware will make changes to the registry to include the shell\open\command keys. If these keys are changed, the worm or Trojan will run each time that you run certain files. For example, if the \exefile\shell\open\command key is changed, the threat will run each time that you run any .exe file.

This step involves making changes in the registry. Always back up your registry before making any changes. If you are not familiar with working in the registry, then you should NOT attempt to make any changes on your own. Improper changes to the registry could adversely affect your computer and render it inoperable. ERUNT is an excellent free tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.

Please download Windows Explorer Shell Fix. (scroll down) <- for Windows 2000/XP ONLY!
This is a tool that will reset all shell\open\command registry keys. Unzip (extract) shellfix.zip to your Desktop and double-click on shellfix.bat to run, then reboot your computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users